| Description:
|
Details
Codr.1402
This is a very dangerous memory resident partly encrypted parasitic virus. It hooks INT 10h and 21h, and writes itself to the end of COM and EXE files (except COMMAND.COM) that are executed or opened. When the DRWEB.EXE file is executed, the virus disables its INT 21h hooker, hooks INT 22h (program terminate address), waits for the moment the program exits, and re-hooks INT 21h.
Depending on the current date, the virus runs one of its trigger routines. On Friday the 13th of any month, the virus erases data on the hard drive. On the 21st of any month at 12:xx, the virus reboots the computer.
The virus contains the text:
COMMAND.COM DRWEB.EXE .COM .EXE |
